Contrast OSS identifies open-source components through runtime analysis, file system scanning, and dependency analysis. Leveraging these techniques, OSS reports an exact inventory to Contrast.

By default, Contrast Assess includes powerful OSS capabilities. With an OSS license, you have access to advanced OSS capabilities.

This image shows the OSS workflow


To simplify the process and merge open-source analysis with custom code analysis, OSS is integrated as part of the Contrast platform. Here's what you can do with OSS (some of these features are free and other require an OSS license):

  • Open-source license management: Contrast OSS provides license data tied to open-source components. This data helps you understand intellectual property compliance and mitigate operational risk.

    This feature requires an OSS license.

  • Open-source policy: With OSS, you can set policies to denylist open-source licenses. If a denylisted license type is deployed in your applications, it triggers an alert. To keep your library usage safe, set compliance policies for your organization.  To restrict use of specific open-source libraries and licenses, as well as set version requirements, you can set library policies.

    This feature requires an OSS license.

  • Identification of CVE vulnerabilities Contrast OSS identifies the CVE vulnerabilities for each library that your applications are using.This data includes a description of each CVE vulnerability for a selected library as well as the number of applications using that library.

    This feature is available without an OSS license.

  • CLI and dependency tree: The Contrast command line interface (CLI) allows testing source code at the earliest stages of development. The data collected by the Contrast CLI is used to display a dependency tree that brings awareness to underlying library dependencies.

    This feature is available without an OSS license.

Contrast data

Once a library is reported to Contrast, you can access:

  • Library usage analysis to identify whether vulnerable components are actually used by the application

  • Library version identification and guidance on the latest version

  • Comprehensive vulnerabilities coverage

  • Portfolio wide, real-time reporting of open-source components